tags:

views:

557

answers:

4
+1  Q: 

On Windows XP: How to create an User that has no read access to any directory besides one certain directory?

Hi,

Let me state first: I know that any user that wants to run a program (or even log in), has to have access to (probably at least) the Windows system directories and the shared libraries in %ProgramFiles%, but I'd like to be able to contain Skype, for example, by running it with an unprivileged user and make sure that it can't access any unnecessary files.

I fear that the only way to do this would be to identify all of the gazillion directories where I store files that I don't want this user to access and then create a new user group that can access these directories, or run Skype and Azureus in a VM.

Is there a better way?

Thanks in advance!

A: 

Besides using a VM you could look into using a Sandbox. Look at Sandboxie fox an example.

Adam Peck  2009-01-02 15:24:12
A: 

Maybe sudown is a solution. It's a sudo-similar (as known from Linux) approach to running as unprivileged user, but having the possibility to promote to an administrative account (with password) when needed.

I suppose you could lock down the machine so the user can solely log on, not even start skype with his rights, but start skype by "run as" with sudown.

lImbus  2009-01-02 15:45:16
+1  A: 

Normally, accounts are members of the Users group at least, which does have access to many things. You could make the account a member of no groups, or the Guests group which is very restrictive.

The real issue is that the program's token (an internal security object that keeps track of what security identities a running process has) will contain the Everyone and Authenticated Users groups, which also have read access to lots of stuff. There is no way to create an account without those groups. You could remove the access that Everyone and Authenticated Users groups have to most everything, but it would be a lot of work to track all those down.

I would say that creating a standard user or guest access account for untrusted programs would be plenty secure enough. To support self-updates and to keep related files in the same place, I suggest you install those programs directly in the profile of the user account they will be running as, e.g. C:\Documents and Settings\skype\Program Files\Skype

If you want to get really fancy, you can use a restricted token to either make the Everyone, Authenticated Users, etc. groups deny only (so they can't grant any access) or create a Restricted SID list. This will be difficult to implement because there are global objects that programs will expect to access that the Everyone group has access to, which is normally a safe choice.

See CreateRestrictedToken Function.

There is also an open-source command line program I created a program for creating restricted tokens and job objects on the fly for that purpose: UlimitNT

Chris Smith  2009-01-02 16:08:31
I worked on this for a bit now... it seems that every program created by a user that is not a member of the group "HOSTNAME\Users" is automatically a member of "BUILT-IN\Users" and this seems to have the same access privileges as the normal Users group. Can you tell me anything about that?
jdelic  2009-01-02 20:34:03
BUILTIN is the category for the "Users" SID. "HOSTNAME\Users" is misleading because it implies that each system has its own Users group, but the fact is that Users is one of several non-unique SIDs that have the same value in all domains. http://support.microsoft.com/kb/243330
Chris Smith  2009-01-02 20:48:40
I didn't know that an account automatically belongs to "Users" if you don't specify something else. I'll have to remember that. In that case, add the account to the Guests group instead, which has practically no access of its own.
Chris Smith  2009-01-02 20:50:26
Your program (UlimitNT) is just what I'm looking for, but the site seems to be not working, can you give another link to it, please?
Antony Hatchkins  2010-06-02 11:16:56
Apparently, Comcast decided to stop routing unsolicited traffic to me. I uploaded the project to Google Code instead (a better home for it really). http://code.google.com/p/ulimitnt/
Chris Smith  2010-06-17 23:59:16
A: 

simply use acl apis (samples in msdn)

 2009-01-03 14:32:59

related questions

Verifying files for testing
How do you create your own moniker (URL Protocol) on Windows systems?
Windows Equivalent of 'nice'
Is this a good way to determine OS Architecture?
Dual vs. Quadcore on a Webserver
Is there a WMI Redistributable Package?
PHP Error - Uploading a file
Ruby On Rails with Windows Vista - Best Setup?
OpenVPN Config file to prevent timeout
How can I create Debian install packages in Windows for a Visual Studio project?
How do I configure and communicate with a serial port?
What's the best setup for Mono development on Windows?
Appropriate pagefile size for SQL Server
XML Editing/Viewing Software
Linux shell equivalent on IIS
What is a better file copy alternative than the Windows default?
Windows Help files - what are the options?
Heap corruption under Win32; how to locate?
Best way to access Exchange using PHP?
Get a preview jpeg of a pdf on windows?
WinForms ComboBox data binding gotcha
How do you schedule tasks in Windows?
Register Windows program with the mailto protocol programmatically
Embedding Windows Media Player for all Browsers
Best Subversion clients for Windows Vista (64bit)